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DETAILED ACTION 

1 . This office action is in response to applicant's response filed on 
03/10/2008. 

2. Claims 1-6 and 8-21 are pending. 

3. Claims 1 and 19-21 are amended. 

4. Claim 7 is canceled. 

Continued Examination Under 37 CFR 1.114 

1 . A request for continued examination under 37 CFR 1.114, including the 
fee set forth in 37 CFR 1 .17(e), was filed in this application after final rejection. 
Since this application is eligible for continued examination under 37 CFR 1.114, 
and the fee set forth in 37 CFR 1 .1 7(e) has been timely paid, the finality of the 
previous Office action has been withdrawn pursuant to 37 CFR 1 .1 14. 
Applicant's submission filed on 03/10/2008 has been entered. 

Response to Arguments 

1 . Applicant's arguments with respect to claims 1-6 and 8-21 have been 
considered but are moot in view of the new ground(s) of rejection. 



Application/Control Number: 10/808,260 
Art Unit: 2134 



Pages 



Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 102 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

2. Claims 1-6 and 8-21 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Dotan U.S. Patent Number 5,822,517 in views of Ostrovsky et 
al.. Patent No.: 5,123,045. 

Referring to claims 1, 19, 20 and 21, Dotan teaches a system, an article of 
manufacture and a method for detecting hostile software in a computer system 
comprising: 

storing a representation of configuration data associated with an operating 
system for the computer system obtained at a first time [column 4, lines 17-20]; 

comparing the stored representation of the configuration data obtained at 
the first time with a representation of the configuration data associated with the 
operating system for the computer system obtained at a second time [column 4, 
lines 20-22]; and 

if deviation is detected between the stored representation of the configuration 
data obtained at the first time and the representation of the configuration data 
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obtained at the second time, automatically performing at least one remedial 
measure in response to the deviation detected [column 4, lines 22-26]. Dotan 
does not appear to explicitly teach a method, wherein the stored representation 
of configuration data is encoded prior to being stored. However, Ostrovsky 
teaches that the contents held in the slots of the buffers 21 can be readily 
observed by adversaries. To prevent adversaries from gaining any useful 
knowledge from such observation, the contents of each slot are encrypted prior 
to being stored in such slots. It is preferred that a private key probabilistic 
encryption method is used, such as presented in S. Goldwasser and S. Micali, 
"Probabilistic Encryption", Journal of Computer and System Science, Vol. 28, No. 
2, 1984, 270-299. Whenever a value is stored in memory, every bit of the value is 
probabilistically encrypted. Specifically, a seed of the pseudo-random function F 
is stored into the protected CPU, and for every bit b, a new (unused before) 
argument i is picked. The encryption (i, b XOR (i)) is stored. Other encryption 
techniques, however, may be used [col. 7, lines 1-15 and figs. 3-5]. Dotan and 
Ostrovsky are analogous art because both teach software protection. 

At the time of the invention, it would have been obvious to one of ordinary 
skill in the art to modify the method of Dotan to include data is encoded prior to 
being stored of Ostrovsky because given that an adversary only sees encrypted 
contents, he is prevented from knowing the true contents of each slot, including 
the seeds. Hereinafter, it is assumed that all values stored in unprotected 
memory are already encrypted as described above, please see KSR 
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International Co. v. Teleflex Inc., 550 U.S-, 82 USPQ2d 1385 (2007) for further 
interpretation. 

Referring to claim 2, Dotan teaches a method for detecting hostile 
software in a computer system, wherein the configuration data relates to 
identification of executable code installed in the computer system [column 4, 
lines 17-20]. 

Referring to claim 3, Dotan teaches a method for detecting hostile 
software in a computer system, wherein the configuration data relates to 
identification of a command line for invoking executable code associated with a 
particular file extension [column 6, lines 4-9]. 

Referring to claim 4, Dotan teaches a method for detecting hostile 
software in a computer system, wherein the configuration data is obtained from a 
registry maintained by the operating system [column 6, lines 1-7 and fig. 1]. 

Referring to claim 5, Dotan teaches a method for detecting hostile 
software in a computer system, wherein the configuration data obtained from at 
least one key associated with the registry [column 6, lines 1-7]. 
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Referring to claim 6, Dotan teaches a method for detecting hostile 
software in a computer system, wherein the configuration data is obtained from a 
file stored in the computer system [column 6, lines 1-7]. 

Referring to claim 8, Dotan teaches a method for detecting hostile 
software in a computer system, wherein the configuration data is compared to a 
predefined value [column 4, lines 65-66, predefined value is corresponding to 
the state of the program]. 

Referring to claim 9, Dotan teaches a method for detecting hostile 
software In a computer system, wherein the configuration data Is checked for 
addition of data [column 6, lines 37-50, fig. 2A and fig. 2B]. 

Referring to claim 10, Dotan teaches a method for detecting hostile 
software In a computer system, wherein the configuration data Is checked for 
removal of data [column 4, lines 22-26, an alarm signal Inform a user that the 
data has been modified (addition/removal) see fig. 2A and 2B]. 

Referring to claim 1 1 , Dotan teaches a method for detecting hostile 
software In a computer system, wherein the at least one remedial measure 
comprises determining a storage location associated with suspected executable 
code in the computer system [column 4, lines 57-64]. 
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Referring to claim 12, Dotan teaches a method for detecting hostile 
software in a computer system, wherein the at least one remedial measure 
comprises determining whether suspected executable code is currently executing 
[column 4, lines 51-56]. 

Referring to claim 13, Dotan teaches a method for detecting hostile 
software in a computer system, wherein the at least one remedial measure 
further comprises terminating execution of the suspected executable code 
[column 4, lines 57-64, restoring the infected program occurs by terminating 
execution of the suspected program]. 

Referring to claim 14, Dotan teaches a method for detecting hostile 
software in a computer system, wherein the suspected executable code does not 
receive notification prior to being terminated [column 4, lines 51-56, prior to 
termination, the suspected executable program is being under the process of 
comparing initial state and final state]. 

Referring to claim 15, Dotan teaches a method for detecting hostile 
software in a computer system, wherein the at least one remedial measure 
comprises moving suspected executable code to a specified storage location for 
later evaluation [column 4, lines 57-64]. 
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Referring to claim 16, Dotan teaches a method for detecting hostile 
software in a computer system, wherein the at least one remedial measure 
comprises altering configuration data associated with the operating system to 
reflect the stored representation of the configuration data [column 5, lines 8-14]. 

Referring to claim 17, Dotan teaches a method for detecting hostile 
software in a computer system, wherein the operating system is a Windows- 
based operating system [column 6, lines 9-12]. 

Referring to claim 18, Dotan teaches a method for detecting hostile 
software in a computer system, wherein the operating system is a Linux-based 
operating system [column 6, lines 9-12, MS-DOS is corresponding to Linux- 
based operating system]. 

Conclusion 

Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to YONAS BAYOU whose telephone number is 
(571)272-7610. The examiner can normally be reached on m-f,7:30-5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Kambiz Zand can be reached on 571-272-381 1 . The fax 
phone number for the organization where this application or proceeding is 
assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). If you would like assistance from a USPTO Customer Service 
Representative or access to the automated information system, call 800-786- 
9199 (IN USA OR CANADA) or 571-272-1000. 

/Yonas Bayou/ 
Examiner, Art Unit 2134 
04/21/2008 
/Kambiz Zand/ 

Supervisory Patent Examiner, Art Unit 2134 



